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Abstract. We study the fundamental problem of achieving consensus 
in a synchronous dynamic network, where an omniscient adversary con- 
trols the unidirectional communication links. Its behavior is modeled as 
a sequence of directed graphs representing the active (i.e. timely) com- 
munication links per round. We prove that consensus is impossible un- 
der some natural weak connectivity assumptions, and introduce vertex- 
stable root components as a — practical and not overly strong — means 
for circumventing this impossibility. Essentially, we assume that there is 
a short period of time during which an arbitrary part of the network re- 
mains strongly connected, while its interconnect topology keeps changing 
continuously. We present a consensus algorithm that works under this 
assumption, and prove its correctness. Our algorithm maintains a local 
estimate of the communication graphs, and applies techniques for detect- 
ing stable network properties and univalent system configurations. Our 
possibility results are complemented by several impossibility results and 
lower bounds, which reveal that our algorithm is asymptotically optimal. 



1 Introduction 

Dynamic networks, instantiated, e.g., by (wired) peer-to-peer (P2P) networks, 
(wireless) sensor networks, mobile ad-hoc networks and vehicular area networks, 
are becoming ubiquitous nowadays. The primary properties of such networks are 
(i) sets of participants (called processes in the sequel) that are a priori unknown 
and maybe time-varying, and (ii) the absence of central control. Such assump- 
tions make it very difficult to setup and maintain the basic system, and create 
particular challenges for the design of robust distributed services for applications 
running on such dynamic networks. 

A natural approach to build robust services despite mobility, churn, fail- 
ures, etc. of processes is to use distributed consensus to agree system-wide on 
(fundamental) parameters like schedules, frequencies, etc. Although system- wide 
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agreement indeed provides a very convenient abstraction for building robust ser- 
vices, it inevitably rests on the ability to efficiently implement consensus in a 
dynamic network. 

Doing this in wireless dynamic networks is particularly challenging, for sev- 
eral reasons: First, whereas wireline networks are usually adequately modeled 
by means of bidirectional links, this is not the case for wireless networks: Fading 
phenomenons and interference [T3] are local effects that affect only the receiver 
of a wireless link. Since the receiver of the reverse link is located in a different 
place in the network, it is very likely that it faces very different levels of fading 
and interference. Thus, wireless links are more adequately modeled by means of 
pairs of unidirectional links, which are considered independent of each other. 

Second, wireless networks are inherently broadcast. When a process trans- 
mits, then every other process within its transmission range will observe this 
transmission — either by legitimately receiving the message or as some form 
of interference. This creates quite irregular communication behavior, such as 
capture effects and near-far problems [24], where certain (nearby) transmitters 
may "lock" some receiver and thus prohibit the reception of messages from other 
senders. As a consequence, wireless links that work correctly at a given time may 
have a very irregular spatial distribution, and may also vary heavily with time. 

Finally, taking also into account mobility of processes and/or peculiarities in 
the system design (for example, duty-cycling is often used to conserve energy 
in wireless sensor networks), it is obvious that static assumptions on the com- 
munication topology, as underlying classic models like unit disc graphs, are not 
adequate for wireless dynamic networks. 

We hence argue that such dynamic systems can be modeled adequately only 
by means dynamically changing directed communication graphs. Since synchro- 
nized clocks are required already for basic communication in wireless systems, 
e.g., for transmission scheduling and sender/receiver synchronization, we also 
assume that the system is synchronous. 

Contributions. Similar to Kuhn et al. [18], we consider consensus in a system 
modeled by means of a sequence of communication graphs, one for each round. In 
sharp contrast to existing work, our communication graphs are directed, and our 
rather weak connectivity assumptions do not guarantee bidirectional (multi-hop) 
communication between all processes. 

(1) We prove that communication graphs that are weakly connected in every 
round are not sufficient for solving consensus, and introduce a fairly weak ad- 
ditional assumption that allows to overcome this impossibility. It requires that, 
in every round, there is exactly one arbitrary strongly connected component 
(called a root component) that has only out-going links to (some of) the remain- 
ing processes and can reach every process in the system via several hops. Since 
this assumption is still too weak for solving consensus, we add the requirement 
that, eventually, there will be a short interval of time where the processes in 
the root component remain the same, although the connection topology may 
change. We coined the term vertex-stable root component (for some window of 
limited stability) for this requirement. 



(2) We provide a consensus algorithm that works in this model, and prove its 
correctness. Our algorithm requires a window of stability that has a size of 4D, 
where D is the number of rounds required to reach all processes in the network 
from any process in the vertex-stable root component. While in general D can 
be in 0(n), we show how to obtain an improved running time (in 0(log n)) when 
assuming certain expanding graph topologies. 

(3) We show that any consensus algorithm has to know an a priori bound on 
D. Since the system size n is a trivial bound on D, this implies that there is no 
uniform algorithm, i.e., no algorithm unaware of the size of the network, that 
solves consensus in our model. This holds for deterministic and randomized (Las 
Vegas) algorithms. In addition, we establish a lower bound of D for the window 
of stability. 

(4) We prove that neither reliable broadcast, atomic broadcast, nor causal- 
order broadcast can be implemented in our model without additional assump- 
tions. Moreover, there is no algorithm that solves counting, /c-verification, k- 
token dissemination, all-to-all token dissemination, and fc-committee election. 

2 Related Work 

We are are not aware of any previous work on consensus in directed and dynamic 
networks with such weak connectivity requirements. This is also true for an 
earlier paper [5] , where we assumed the existence of an underlying static skeleton 
graph (a non-empty common intersection of all communication graphs of all 
rounds), which had to include a static root component. By contrast, in this 
paper, we allow the graphs to be totally dynamic, except for a (sufficiently large) 
time window where the members (but not the topology!) of the root component 
are the same. 

Dynamic networks have been studied intensively in distributed computing. 
Early work on this topic includes [TJ|3]. One basic assumption that can be used 
to categorize research in dynamic networks is whether the set of processes is 
assumed to be fixed, or subject to churn (i.e., processes join and leave over time). 
The latter has mostly been considered in the area of peer-to-peer networks and 
the construction of overlays. We refer the interested reader to [TH] for a more 
detailed treatment of related work in this area. 

When the set of processes is considered to be fixed, dynamicity in the network 
is modeled by changes in the network topology. Over time several approaches to 
modeling dynamic connectivity in networks have been proposed. We will in the 
following focus on two lines of research that are closest to ours: work that models 
directly the underlying (evolving) communication graph, and approaches taken 
in the context of consensus. 

Evolving graph models 

There is a rich body of literature on dynamic graph models going back to [14] , 
which also mentions for the first time modeling a dynamic graph as a sequence of 



static graphs, as we do. A survey on dynamic networks can be found in |16j . Re- 
cently, Casteigts et al. [7J have introduced a classification of time varying graphs, 
that is, a classification of the assumptions about the temporal properties of these 
graphs. We will (cf. Lemma HPf]) show that our assumption falls between two of 
the weakest classes considered, as we can only guarantee one-directional reacha- 
bilityH We are not aware of any other papers considering such weak assumptions 
in the context of agreement. 

Closest to our own work is that of Kuhn et al. [T5] , who also consider agree- 
ment problems in dynamic networks based on the model of [17] . This model 
is based on distributed computations organized in lock-step rounds, and states 
assumptions on the connectivity in each round as a separate (round) communi- 
cation graph. While the focus of [T7J is the complexity of aggregation problems 
in dynamics networks, |18) focuses on agreement problems; more specifically on 
the Z\-coordinated consensus problem, which extends consensus by requiring all 
processes to decide within A rounds of the first decision. In both papers, only 
(i) undirected graphs that are (ii) connected in every round are considered. In 
terms of the classes of [7J, they are in one of the strongest classes (Class 10), 
which means (among other things) that each process is always reachable by ev- 
ery other process. Since node failures are not considered, solving consensus is 
always possible in this model without additional assumptions; the focus of |18j 
is on /^-coordinated and simultaneous consensus and its time complexity. 

The dynamic nature of P2P networks is studied in [5] in the context of 
almost-everywhere agreement jS], which weakens the classic consensus problem 
in the sense that a small linear fraction of processes might decide differently. 
In the model of [2], the adversary can subject up to a linear fraction of nodes 
to churn per round; assuming that the network size remains stable, this means 
that up to en nodes (for some small e > 0) can be replaced by new nodes in 
every round. Moreover, changes to the (undirected) topology of the network are 
also under the control of the adversary. To avoid almost-everywhere agreement 
from becoming trivially unsolvable, 12^ assumes that the network is always an 
expander. 

Transmission Failure Models 

Instead of considering a dynamic graph that defines which processes communi- 
cate in each round, an alternative approach is based on the (dual) idea of as- 
suming a fully connected network of (potential) communication, and considering 
that communication in a round can fail. The notion of transmission failures was 
introduced by Santoro and Widmayer [22] . who assumed dynamic transmission 
failures and showed that n — \ dynamic transmission failures in the benign case 
(or n/2 in case of arbitrary transmission failures) render any non-trivial agree- 
ment impossible. As it assumes unrestricted transmission failures (the (only) 
case considered in their proof are failures that affect all the transmissions of a 



4 Here, reachability does not refer to the graph-theoretic concept of reachability, but 
rather to the ability to eventually communicate information to another process. 



single process), it does not apply to any model which considers perpetual mutual 
reachability of processes (e.g., [18]). 

The HO-model [5] is also based on transmission failures. It relies on the 
collection of sets of processes a process hears of (i.e., receives a message from) 
in a round. Different system assumptions are modeled by predicates over this 
collection of sets. The HO-model is totally oblivious to the actual reason why 
some process does not hear from another one: Whether the sender committed a 
send omission or crashed, the message was lost during transmission or is simply 
late, or the receiver committed a receive omission. A version of the model also 
allowing communication to be corrupted is presented in jj. Indeed, the HO- 
model is very close to our graph model, as an edge from p to q in the graph of 
round r corresponds to p being in the round r HO set of q. 

The approach taken by Gafni [T2] has some similarities to the HO-model (of 
which it is a predecessor) , but is more focused on process failures than the work 
by Santoro and Widmayer. Here an oracle (a round-by-round failure detector) 
is considered to tell processes the set of processes they will be not be able to 
receive data from in the current round. Unlike the approaches discussed above, it 
explicitly states how rounds are implemented; nevertheless, the oracle abstracts 
away the actually reason for not receiving a message. So, like in the HO-model, 
the same device is used to describe failures and (a)synchrony. 

Another related model is the perception based failure model [SJ[53], which 
uses a sequence of perception matrices (corresponding to HO sets) to express 
failures of processes and links. As for communication failures, the impossibility 
result of Santoro and Widmayer is circumvented by putting separate restrictions 
on the number of outgoing and incoming links that can be affected by transmis- 
sion failures |23j . Since transmission failures are counted on a per process/per 
round basis, agreement was shown to be possible in the presence of 0(n 2 ) total 
transmission failures per round. 

The approach we used in [3] relied on restricting the communication failures 
per round in a way that secures the existence of a static skeleton graph (which 
exists in all rounds). In the terminology of this paper, [3] stipulates the existence 
of an oo-interval vertex-stable root component. By contrast, Assumption [T] used 
in this paper is even weaker than eventual T-interval connectivity, as we never 
forbid the set of edges to change from one round to the next. That is, in our 
model, the intersection of the edge sets in two consecutive rounds can always be 
empty, even during the stable window. 



3 Model and Preliminaries 

We consider synchronous computations of a dynamic network of a fixed set of 
distributed processes H with |J7| = n ^ 2. Processes can communicate with 
their current neighbors in the network by sending messages taken from some 
finite message alphabet M.. 



In the following three subsections, we will present our computational model 
and define what it means to solve consensus in this model. In Section [U we will 
introduce constraints that make consensus solvable in our model. 

3.1 Computational Model. 

Similar to the LOCAL model [2TJ, we assume that processes organize their 
computation as an infinite sequence of lock-step rounds. For every p 6 77 and 
each round r > 0, let S p € § p be the state of p at the beginning of round r; the 
initial state is denoted by S p G S p C § p . The round r computation of process p 
is determined by the following two functions that make up p's algorithm: The 
message sending function M p : § p — > A4 determines the message m p broadcast 
by p in round r, based on p's state S p at the beginning of round r. We assume 
that some (possibly empty) message is broadcast in every round, to all (current!) 
neighbors of p. The transition function T p : S p 

x 2{nxM) g p takes p's state S p 
at the beginning of round r and a set of pairs of process ids and messages [i r p . This 
set represents the round r messaged received by p from other processes in the 
system, and computes the successor state We assume that, for each process 

q, there is at most one (q, m q ) £ ^ such that m q is the message q sent in round 
r. Note that neither M p nor T p need to involve n, i.e., the algorithms executed 
by the processes may be uniform w.r.t. the network size n: Which processes 
a process actually receives from in round r depends solely on the underlying 
communication graph of round r, which we define in Section EOl 

Consensus. 

To formally introduce the consensus problem, we assume some ordered set V 
and consider the set of possible initial states § p (of process p) to be partitioned 
into \V\ subsets § p [v], with v & V. When p starts in a state in § p [v], we say 
that v is p's input value, denoted v p = v. Moreover, we assume that, for each 
v G V, there is a (sub-)set V p [v] c S P of decided states that is closed under p's 
transition function, i.e., where T p maps any state in this subset to this subset. We 
say that p has decided on v when it is in some state in V p [v] . When p performs 
a transition from a state outside of the set of decided states to the set of decided 
states, we say that p decides. We say that an algorithm A solves consensus if 
the following properties hold in every run of A: 

Agreement: If process p decides on x p and q decides on x q , then x p = x q . 
Validity: If a process decides on v, then v was proposed by some q, i.e., v q = v. 
Termination: Every process must eventually decide. 

At a first glance, solving consensus might appear easier in our model than in the 
classic crash failure model, where processes simply stop executing the algorithm. 
This is not the case, however. As in [8], we model crash failures as follows: A 
process q that crashes in round r is equivalent to taking away all outgoing edges 

5 We only consider messages sent in round r here, so we assume communication- 
closed [10] rounds. 
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of q from round r + 1 on. While g itself can still receive messages and perform 
computations, the remaining processes are not influenced by q from round r on. 

3.2 Communication Model 

The evolving nature of the network topology is modeled as an infinite sequence of 
simple directed graphs Q 1 , Q 2 , . . . , which is fixed by an adversary having access 
to the processes' states. For each round r, we denote the round r communication 
graph by Q r = (V,E r ), where each node of the set V is associated with one 
process from the set of processes 77, and where E r is the set of directed edges 
for round r, such that there is an edge from p to q, denoted as (p —¥ q), iff q 
receives p's round r message (in round r). Figure Q] shows a sequence of graphs 
for a network of 5 processes, for rounds 1 to 3. For any (sub)graph G, we will 
use the notation V(G) and E(G) to refer to the set of vertices respectively edges 
of G, i.e., it always holds that G = (V(G),E(G)). 

For deterministic algorithms, a run is completely determined by the input 
values assigned to the processes and the sequence of communication graphs. 
Therefore, the fact that the adversary knows only the initial values does not 
pose a limitation to its power. 

To simplify the presentation, we will denote a process and the associated 
node in the communication graph by the same symbols and omit the set from 
which it is taken if there is no ambiguity. We will henceforth write p € Q r and 
(p ->• q) £ G r instead of p e V(G) resp. (p ->• q) G E r . 

The neighborhood of p in round r is the set of processes Af£ that p receives 
messages from in round r, formally, Af£ — {q | (q — > p) E Q r }. 

Similarly to the classic notion of "happened-before" [5D], we say that a pro- 
cess p (causally) influences process q in round r, expressed by (p q) or just 
(j> q) if r is clear from the context, iff either (i) p £ J\f£, i.e., if q has an 
incoming edge (p — ¥ q) from p in Q r ', or (ii) if q = p, i.e., we assume that 
p always influences itself in a round. We say that there is a (causal) chain of 

r[k] 

length k 1 starting from p in round r to q, graphically denoted by (p q)or 

[k] 

simply (p q), if there exists a sequence of not necessarily distinct processes 
p = po, . . . ,pk = q such that pi influences Pi+\ in round r + i, for all ^ i < k. 



If k is irrelevant, we just write (p q) or just (p ~-> q) and say that p (in round 
r) causally influences q. 

The causal distance cd r (p,q) at round r from process p to process q is the 
length of the shortest causal chain starting in p in round r and ending in q, 

r[k] 

formally, cd r (p,q) := min{fc | {p q)}. Note that we assume cd r (p,p) = 1. 
The following Lemma Q] shows that the causal distance in successive rounds 
cannot arbitrarily decrease. 

Lemma 1 (Causal distance in successive rounds). For every round r ^ 1 
and every two processes p,q G II , it holds that cd r+1 (p, q) ^ cd r (p, q) — 1. As a 
consequence, if cd r (jp,q) — oo, then also cd r+1 (p,q) — oo. 

Proof. Since (p ~~» p) in every round r, the definition of causal distance trivially 
implies cd r (p,q) ^ 1 + cd r+1 (p,q). □ 

Note that, in contrast to the similar notion of dynamic distance defined 
in |16) . the causal distance in directed graphs is not necessarily symmetric. More- 
over, if the adversary chooses the graphs Q r such that not all nodes are strongly 
connected, the causal distance can even be infinite. In fact, even if Q r is strongly 
connected for round r (but not for rounds r' > r), cd r (p,q) can be infinite. As 
we will not consider the whole communication graph to be strongly connected in 
this paper, we make use of the notation of strongly connected components (SCC). 
We write C£ to denote the (unique) SCC of Q r that contains process p in round 
r or simply C r if p is irrelevant. 

It is apparent that cd r (p, q) and cd r (q,p) may be infinite even if q G C£. 
In order to be able to argue (meaningfully) about the maximal length of causal 
chains within an SCC, we also need some "continuity property" over rounds. This 
leads us to the crucial concept of a I -vertex-stable strongly connected component, 
denoted as C 1 : It requires that the set of vertices of a strongly connected com- 
ponent C remains stable throughout all rounds in the nonempty interval /. Its 
topology may undergo changes, but must form an SCC in every round. Formally, 
C 1 being vertex-stable during I requires that Vp G C 7 , W 6 / : V(Cp) — V^ 1 ). 
The important property of C 1 is that information is guaranteed to spread to all 
vertices of C 1 if the interval / is large enough (cf. Lemma [3]). 

Let the round r causal diameter D r (C I ) of a vertex-stable SCC C 1 be the 
largest causal distance cd r {p, q) for any p,q G C 1 . The causal diameter D^ 1 ) 
of a vertex-stable SCC C 1 in / is the largest causal distance cd x (p,q) starting 
at any round x G / that "ends" in /, i.e., x + cd x (p,q) — 1 G /. If there is no 
such causal distance (because / is too short), D^ 1 ) is assumed to be infinite. 
Formally, for / = [r, s] with s ^ r 

D(C L ) = min {m&x{D x (C r ) \ x G [r, s] and x + D X (C') - 1 < s} U oo} . 

If C 1 consists only of one process, then we obviously have -D(C 7 ) = 1- The 
following Lemma [5] establishes a bound for D^ 1 ) also for the general case. 



Since I ranges from the beginning of r to the end of s, we define \I\ = s — r + 1. 



Lemma 2. [Bound on causal diameter] Let a vertex-stable SCC C 1 for some 
I = [r,s] be given and let |C 7 | 2 be the number of processes in C 1 . If s 
r + \C'\ - 2, then D(C 7 ) < |C 7 | - 1. 

Proof. Fix some process p G C 1 and some r' where r ^ r 1 ^ s — C 7 + 2. Let 
7>o = {p}, and define for each i > the set Vi = V%-i U {g : 3g' G TV-i : q' G 

A/"g Vi is hence the set of processes q such that (p <?) holds. Using 

induction, we will show that \Vk\ ^ min{|C 7 |,fc + 1} for k ^ 0. Induction start 
k = 0: | Pol ^ min{|C 7 |,l} = 1 follows immediately from Vq = {p}. Induction 
step k — >• fc + 1, ^ 0: First assume that already iPfe) = |C 7 | ^ min{|C 7 |, fc + 1}; 
since ^ P/d = C 7 ^ min{|C 7 |,fc + 1}, we are done. Otherwise, consider 

round r' + fc and \Vk\ < \C |: It follows from strong connectivity of Q r +fc [~lC 7 that 
there is a set of edges from processes in Vk to some non-empty set L& C C 1 \ Vk- 
Hence, we have Vk+i = Vk U L&, which implies I'P/t+il ^ \Vk \ + l^fc+l + l = 
k + 2 = min{|C 7 |, k + 2} by the induction hypothesis. 

Thus, in order to guarantee C 1 = Vk and thus |C 7 | = 1^1, choosing k such 
that |C 7 = 1 + k and fc < s - r' + 1 is sufficient. Since s ^ r' + |C 7 | - 2, 
both conditions can be fulfilled by choosing fc = |C 7 | — 1. Moreover, due to the 
definition of Vk, it follows that cd r (p, q) ^ |C 7 | — 1 for all q G C 1 . Since this 
holds for any p and any r' ^ s — \C I \ + 2, we finally obtain |C 7 | — 1 ^ D r (C 1 ) 
and hence |C 7 | — 1 ^ D(C ! ), which completes the proof of Lemma[2j 

Given this result, it is tempting to assume that, for any vertex-stable SCC 
C 1 with finite causal diameter Z?(C 7 ), any information propagation that starts 
at least £>(C 7 ) — 1 rounds before the final round of / will reach all processes in 
C 7 within /. This is not generally true, however, as the following example for 
/ = [1, 3] and a vertex-stable SCC of four processes shows: If Q 1 is the complete 
graph whereas Q 2 — Q 3 is a ring, -D(C 7 ) — 1, but information propagation 
starting at round 2 does not finish by the end of round 3. However, the following 
Lemma [3] gives a bound on the earliest starting round that guarantees this 
property. 

Lemma 3 (Information propagation). Suppose thatC 1 is an I -vertex-stable 
strongly connected component of size ^ 2 that has D(C') < oo, for I = [r,s], 
and let x be the maximal round where x + D x (C 1 ) - I s. Then, 

(i) for every x' G [r,x], it holds that x' + D X '{C I ) - 1 < s and D x ' (C 1 ) < L>(C 7 ) 
as well, and 

(ii) x max{s — C 7 + 2, r}. 

Proof. Since D(Ci) < oo, the maximal round x always exists. Lemma Q] reveals 
that for all p, q G C 7 , we have x — 1 + cd x ~ 1 (p, q) — 1 ^ x + c6. x {p, q) — 1 ^ s, 
which implies x' + cd x (p, q) — 1 ^ s for every x' where r ^ x' $J x and proves 
(i). The bound given in (ii) follows immediately from Lemma [5J 

Since we will frequently require a vertex-stable SCC C 1 that guarantees 
bounded information propagation also for late starting rounds, we introduce 
the following Definition [TJ 



Definition 1 (Z?-bounded /-vertex-stable SCC). An I -vertex-stable SCC 
C 1 with I = [r,s] is D-bounded if D > D J (C 7 ) and D S ~ D+1 (C I ) ^ D. 

4 Required Connectivity Properties 

Up to now, we did not provide any guarantees on the connectivity of the network, 
the lack of which makes consensus trivially impossible^ In this section, we will 
add some weak constraints on the adversary that circumvent this impossibility. 
Obviously, we want to avoid requesting strong properties of the network topology 
(such as stating that Q r is strongly connected in every round r), as this would 
reduce the applicability of our results in real networks. 

As a first attempt, we could assume that, in every round r, the communi- 
cation graph Q T is weakly connected. This, however, turns out to be too weak. 
Even if the adversary choses a static topology, it is easy to see that consensus 
remains impossible: Consider for example the graph that is partitioned into 3 
strongly connected components C , Ci, and C 2 such that there are only outgoing 
edges from Co respectively C\ pointing to C 2 , whereas C 2 has no outgoing edges. 
If all processes in Co start with and all processes in C\ start with 1, this yields 
a contradiction to agreement: For i £ {0, 1}, processes in Ci can never learn 
the value 1 — i, thus, by an easy indistinguishability argument, it follows that 
processes in Co and Ci must decide on conflicting values. 

In order to define constraints that rule out the existence of Co and C\ as above, 
the concept of root components proves useful: Let TV C Q r be an SCC that has 
no incoming edges from any q E Q r \ TV . We say that TV is a root component in 
round r, formally: Vp G TV Mq E Q r : (q — > p) E Q r => q E TV . For example, in 
Figure Hal process p^ forms a root component by itself, while processes p\ and 
P2 form a SCC that is not a root component since it has incoming edges. 

Observation 1 (On root components). Any Q r contains at least one and at 
most n root components ( isolated processes ), which are all disjoint. In case of a 
single root component Tt, Q r is weakly connected. 

Returning to the consensus impossibility example for weakly connected graphs 
above, it is apparent that the two components Co and C\ are indeed both root 
components. Since consensus is not solvable in this case, we assume in the se- 
quel that there is at most a single root component in Q r , for any round r. We 
already know (cf. [5]) that this assumption makes consensus solvable if the topol- 
ogy (and hence the root component) is static. Since we are interested in dynamic 
networks, however, we assume in this paper that the root component may change 
throughout the run, i.e., the (single) root component TV of Q r might consist of 
a different set of processes in every round round r. Figure [T] shows a sequence 
of graphs where there is exactly one root component in every round. It is less 
straightforward to reason about the solvability of consensus in this case. We will 



The adversary can simply choose the empty set for the set of edges in every round. 



establish in Section [JJ consensus is again impossible to solve without further 
constraints. 

As root components are special cases of strongly connected components, we 
define an I -vertex-stable root component TZ 1 as an /-vertex-stable strongly con- 
nected component that is a root component in every round r & I. Clearly, all the 
definitions and results for vertex-stable components carry over to vertex-stable 
root components. 

Restricting our attention to the case where exactly one vertex-stable root 
component TZ 1 exists, it immediately follows from Observation[T]that information 
of any process in TZ 1 propagates to all nodes in 77 if 7 is large enough. More 
specifically, we can extend our notions of causal diameter of a vertex-stable SCC 
to the whole network: The round r network causal diameter D r is the largest 
cd r (p, q) for any p £ 7Z r and any q £ 77. Similarly to the causal diameter of a 
vertex-stable component of an interval, we define the network causal diameter 
D 1 for an interval 7 as the largest round x, x £ I, network causal diameter 
that also (temporally) falls within 7, i.e., satisfies x + D x — 1 G 7 and hence 
x + cd x {p 7 q) — 1 £ I for any p £ TV and any q £ 77. 

The following versions of Lemma[2]and[3]for root components and their causal 
influence on the whole network can be established by proofs almost identical to 
the ones of their SCC versions: 

Lemma 4 (Bound on network causal diameter). Assume that there is a 
single vertex-stable root component TZ 1 for some I = [r, s] . If s ^ r + n — 2, then 
D 1 < n- 1. 

Note that Lemma |4] considers the worst case where the network topologies can 
even correspond to a line. This assumption might be too pessimistic for many real 
world networks. By using graph topologies that allow fast information spread- 
ing, we can get much better causal network diameters like D 1 £ O(logn) (cf. 
Section EU). 

Lemma 5 (Network information propagation). Assume that there is a 
single vertex-stable root component TZ 1 in I = [r, s] with network causal diameter 
D 1 < oo. Let x be the maximal round where x + D x — 1 ^ s. Then, 

(i) for every x' £ [r,x], it also holds that also x' + D x ^ s and D x D 1 , and 

(ii) x max{s — n + 2, r}. 

As in the case of 7-vertex-stable SCCs we also define the 7)-bounded variant 
of root components, which are central to our model. 

Definition 2 (7?-bounded 7-vertex-stable root components). A vertex- 
stable root component TZ 1 in I = [r,s], s r, is D-bounded if D ^ D 1 and 

jjs-D+l ^ D 

Note that a plain 7-vertex-stable root component with I ^ n — 1 is always D- 
bounded for D = n — 1, recall Lemma [5j Our definition also allows some smaller 
choice of D, however. 



We will show in Section [7J that the following Assumption [T] is indeed very 
weak, in the sense that many problems considered in distributed computing 
remain unsolvable. 



Assumption 1. For any round r, there is exactly one root component 1Z T in Q r , 
and all vertex-stable root components 1Z 1 with \I\ ^ D are D-bounded. Moreover, 
there exists an interval of rounds I — [tst, ?"sy+d], with d > AD, such that there 
is a D-bounded I -vertex-stable root component. 

5 The Local Network Approximation Algorithm 

Initially, every process p has no knowledge of the network — it only knows its 
own input value. Any algorithm that correctly solves consensus must guarantee 
that, when p makes its decision, it either knows that its value has been/will be 
adopted by all other processes or it has agreed to take over some other process' 
decision value. In either case, process p needs to locally acquire knowledge about 
the information propagation in the network. As we have seen, p's information is 
only guaranteed to propagate throughout the network if p is in a /-vertex stable 
root component with finite network causal diameter D 1 . Thus, for p to locally 
acquire knowledge about information propagation, it has to acquire knowledge 
about the (dynamic) communication graph. (We will discuss this point in more 
detail in Section [7]) 

We allow p to achieve this by means of Algorithm[T] which essentially gathers 
gathering as much local information on Q s as possible, for every past round s. 
Every process p keeps track of its current graph approximation in variabl^l A p , 
which initially consists of process p, without any edges, and is broadcast and 
updated in every round. Ultimately, every process p will use A p to determine 
whether it has been inside a vertex-stable root component for sufficiently many 
rounds. To this end, Algorithm Q] provides predicate inStableRoot(J), which 
returns true iff p has been in the /-vertex stable root component. The edges of 
A p are labeled with a set of rounds constructed as follows: Since p can learn new 
information only via incoming messages, it updates A p , whenever q € Af p , by 

{r} 

adding (q — > p) if q is p's neighbour for the first time, or updating the label of 

the edge (q p) to (q Ul ^f^ p) (Lines [5] and [Jj. Moreover, from q, p also receives 
A q and uses it to update its own knowledge: The loop in Line |9] ensures that p 

TUT' T' 

has an edge (v — > w) for each (v — > w) in A q , where T is the set of rounds 
previously known to p. Given A p , we will denote the information contained in 
A p about round s by A p \s. More specifically, A p \s is the graph induced by the 
set of edges 



We denote the value of a variable v of process p in round r (before the round r 
computation finishes) as Vp\ we usually suppress the superscript when it refers to 
the current round. 




e 




It is important to note that our Assumption [T] is too weak to guarantee that 
eventually the graph A p \s will ever exactly match the actual Q s in some round 
s. In fact, there might be a process q that does not have any incoming links 
from other processes, throughout the entire run of the algorithm. In that case, 
q cannot learn anything about the remaining network, i.e., A q will permanently 
be the singleton graph. 

To simplify the presentation, we have refrained from purging outdated infor- 
mation from the network approximation graph. Our consensus algorithm only 
queries inStableRoot for intervals that span at most the last AD + 1 rounds, 
i.e., any older information can safely be removed from the approximation graph, 
yielding a message complexity that is bounded by a polynomial in n. 

5.1 Proof of Correctness 



Algorithm 1 Local Network Approximation 
Provides predicate inStableRoot (). 

Variables and Initialization: 

1 : A p := (V p , E p ) initially ({p} , 0) // weighted digraph without multi-edges and loops 

Emit round r messages: 

2: send (A p ) to all current neighbors 

Round r: computation: 

3 : for q G Np and q sent message (A q ) in r do 

4 : if 3 edge e = (q — > p) G E p then 

5 : replace e with (q —t p) in E p where TVlU {r} 

6 : else 

{r} 

7 : add e := [q — I p) to E p 

8: Vpi-VpUVq 

9: for every pair of nodes (pi,Pj) € V p x V p , Pi ^ Pj do 
10: Let T' = (J^S | 3q G A/J: (p>i G £,} 

T TUT' T' 

11: replace (pi —> pj) in E p with (pt — > pj); add (pt —tpj) if no such edge exists 

12: predicate inStableRoot (J) 

13: Let A p \s = (V p s , |(p 3 4 Pi ) G E v \ s G r|) 

14: Let C p \s be the component of p in A p |s or the empty graph if A p \s is not 

strongly connected. 
15: return true iff for all si, s 2 G /: V(C p |si) = V(Cp\s 2 ) / 



Lemma 6. If A p contains (v — > w), i/ien forall t G T : (w — > w) G 5* . In other 
words, A p \t eg*. 



Proof. We consider two cases, depending on whether (a) p — w or (b) p =/= w: 
Case (a) follows from p = w adding the current round number into the label set 
of e = (v — > w) only when v G AfZ (cf . Lines [5] and [7|) . For case (b) , observe 
that (any) p ^ w adds a round number to an edge v — > w only when it receives 
this edge-label from another process. Thus, case (b) can only occur after w has 
added e, which it only does — according to case (a) — when ee?'. 

Note that A p \t can be non-empty only for t < r, as round r information is added 
to A p (by p) only at the end of round r. 

The next lemma shows that locally detecting a strongly connected component 
C p \s C A p \s (in Line [14] of Algorithm Q} implies that p is in the root component 
of round s. 

Lemma 7. // in round r the graph C p \s with s < r is non-empty (hence an 
SCC), thenpe 1Z S . 

Proof. For a contradiction, assume that C p \s is non-empty (hence an SCC by 
Line [T4")) . but p g" 1Z S . By Lemma [51 we get C p \s C Q s . Consider some process 
q' 6 1Z S , then by definition there is a path from q' to p in Q s . Since p 7Z S , this 
path contains at least one edge. Let e = (w — > q) be an edge in this path such 
that q e C p \s but w ^ C p \s. In order to arrive at the desired contradiction, we 
will now show that e must be in A p \s and thus in C p \s. 

Since p and q are both in C p \s, there is a path from p to q in C p \s C Q s . 
Obviously, if (v — ¥ q) is a link incident to q on such a path, it is also in C p \s. As 
only q can have added this link to its A s q in round s, where both {v, w} C A/J, 

q must also have added (w A q) to A s q on that occasion. Since neither edges are 
ever removed from any approximation graph nor rounds are ever removed from 

edge label sets, there must also be an edge (w ^4 q) with s £ J in A p , i.e., in 
A p \s. However, by assumption, w is not in C p |s, thus we have a contradiction to 
C p \s being strongly connected. 

From this lemma and inspection of the code of inStableRoot(J) we get the 
following corollary. 

Corollary 1. //, in round r, the predicate inStableRoot(J) evaluates to TRUE 
at process p, then Vs £ I : s < r => p £ 1Z S . 

The following Lemma [S] proves that, in a sufficiently long / with a /-vertex- 
stable root component, locally detecting an SCC at p in some past round im- 
plies p being member of the root component. Informally speaking, together with 
Lemma [3 it asserts that an J- vertex-stable root component 1Z 1 for a sufficiently 
long intervals /, a process p will get inStableRoot(J) = true iff p € 1Z. 

Lemma 8. Consider an interval of rounds I = [r,s], such that there is a D- 
bounded I -vertex-stable root component 1Z 1 and assume \I\ = s — r + 1 > D 
D^ 1 ). Then, from then end of round r + D onwards, we have C p \r = TZ 1 , for 
every process in p e TZ 1 . 



Proof. Consider any q G 7Z 1 . At the beginning of round r + 1, q has an edge 

(q' — > q) in its approximation graph A q with r S T iff g' £ A/J . Since processes 
aiways merge ail graph information from other processes into their own graph 
approximation, it follows from the definition of a D-bounded J- vertex-stable root 
component in conjunction with the fact that r + 1 ^ s — D + l that every p 6 7?/ 
has these in-edges of g in its graph approximation by round r + 1 + D — 1. Since 
is a vertex-stable root-component, it is strongly connected without in-edges 
from processes outside 1Z 1 . Hence C p \r = 1Z 1 from round r + D on, as asserted. 

Corollary 2. Consider an interval of rounds I — [r, s], with \I\ = s — r + 1 > 
D ^ DiTZ 1 ), such that there is a D -bounded vertex-stable root component 1Z 1 . 
Then, from the end of round s on, predicate inStableRoot([r, s — D\) evaluates 
to true at every process in 1Z 1 . 

6 The Consensus Algorithm 

The underlying idea of our consensus algorithm is to use flooding to forward 
the largest proposed value to everyone. However, as Assumption Q] does not 
guarantee bidirectional communication between every pair of processes, flooding 
is not sufficient: The largest proposal value could be known only to a single 
process that never has outgoing edges. Therefore, we let "privileged" processes, 
namely, the ones in a vertex-stable root component, try to impose their largest 
proposal values on the other processes. In order to do, so we use the well-known 
technique of locking a unique value. Processes only decide on their locked value 
once they are sure that every other process has locked this value as well. Since 
Assumption [1] guarantees that there will be one root component such that the 
processes in the root component can communicate their locked value to all other 
processes in the system they will eventually succeed. 

Our consensus algorithm will hence be built atop of the network approxima- 
tion algorithm. More specifically, in order to detect that a process is currently 
privileged, i.e., in a vertex-stable root component, we can rely on Corollary [1] 
and use the inStableRoot predicate provided by Algorithm [TJ To be able to 
do so, round r of Algorithm [T] is executed before round r of Algorithm [5J and 
messages sent in round r by both algorithms are packed together in a single 
message. Since Corollary [5] revealed that inStableRoot has a delay of up to D 
rounds to detect that a process is in the vertex-stable root component of some 
interval of rounds, however, our algorithm (conservatively) looks back D rounds 
in the past for locking and privilege detection. 

In more detail, Algorithm [2] proceeds as follows: Initially, processes do not 
have locked any value, therefore lockRound p — and locked = false. Processes 
try to detect whether they are privileged by evaluating the condition in Line [TU1 
When this condition is true in some round £, they lock the current value (by 
setting lockedp = true and lockRound to the current round), unless locked p is 
already true. Note that our locking mechanism does not actually protect the 
value against being overwritten by a larger value being also locked in £; it locks 
out only those values that have older locks / < I. 



When the process m that had the largest value in the root component of 
round £ detects that it has been in a vertex-stable root component in all rounds 
£ to £ + D (Line [2D]), it can decide on its current value. As all other processes in 
that root component must have had m's value imposed on them, they can decide 
as well. After deciding, a process stops participating in the flooding of locked 
values, but rather (Line [5]) floods the network with (decide, x). Since the time 
window guaranteed by Assumption [T] is large enough to allow every process to 
receive this message, all processes will eventually decide. 

6.1 Proof of Correctness 

Lemma 9 (Validity) . Every decision value is the input value of some process. 

Proof. Processes decide either in Line Q21 or in Line When a process decides 
via the former case, it has received a (decide, x q ) message, which is sent by q 
iff q has decided on x q in an earlier round. In order to prove the theorem, it is 
thus sufficient to show that processes can only decide on some process' input 
value when they decide in Line I21[ where they decide on their current estimate 
x p . Let the round of this decision be r. This value is either p's initial value, or 
was updated in some round r' r in Line [TJ] from a value received by way of 
one of its neighbors' (lockRound,x) message. In order to send such a message, 
q must have had x q — x at the beginning of round r' , which in turn means that 
x q was either q's initial value, or q has updated x q after receiving a message 
in some round r q < r. By repeating this argument, we will eventually reach a 
process that sent its initial value, since no process can have updated its decision 
estimate prior to the first round. 

The following Lemma [TUJ states a number of properties maintained by our 
algorithm when the first process p has decided. Essentially, they say that there 
has been a vertex-stable root component for at least 2D + 1 rounds centered 
around the lock round £ (but not earlier), and asserts that all processes in that 
root component chose the same lock round £. 

Lemma 10. Suppose that some process p decides in some round r, no decisions 
occurred before r and let £ — lockRound r p , then 

(i) p is in the vertex-stable root component 1Z 1 with I = [£ — D — 1, £ + D], 

(ii) l + D <r ^£ + 2D, 
(Hi) Tl 1 + K £ - D - 2 , and 

(iv) all processes in 1Z 1 executed Line \18\ in round £. 

Proof. Item (i) follows since Line [15] has been continuously true since round £ 
and from Corollary [1] As for item (ii) , I + D ^ r follows from the requirement 
of Line [20] while r ^ £ + 2D follows from (i) and the fact that by Corollary [2] 
the requirement of Line [201 cannot be, for the first time, fullfilled strictly after 
round £ + 2D (but already by £ + 2D). From Corollary [3J it also follows that if 
1Z}~ D ~ 2 = 1Z 1 , then the condition in Line[l5]would return true already in round 
£ — 1, thus locking in round £ — 1. Since p did not lock in round £ — 1, (hi) must 



hold. Finally, from (i), (iii), and Corollary [21 it follows that every other process 
in TZ 1 also has inStableRoot([^ - D — 1, £ - D]) = true in round I. Moreover, 
due to (iii), inStableRoot([£ -1 - D - 1,1-1- D]) = FALSE in round £ — 1, 
which causes all the processes in TZ 1 to set locked to false. Thus, (iv) also holds. 

Lemma 11 (Same Round Agreement). Consider that two processes p and 
q both decide in the same round r in Line \21[ then the decision values of p and 
q are the same. 

Proof. We proceed by assuming x q ^ x p , where without loss of generality x q > 
x p , and derive a contradiction. From Lemma [TU] items (i) and (ii), it follows that 
the intervals in which p and q observed themselves as being in a vertex-stable 
root component intersect, and so these root components must be the same. Thus, 
let TZ 1 resp. / denote the vertex-stable root component resp. interval that leads 
to p and q deciding. Now, Lemma [TU] item (iv) implies that they locked in the 
same round, say £. Moreover, due to / D [£,£+ D], there is a causal chain of 
of length at most D connecting q's locking round and p's decision round. Along 
this causal chain, consensus messages (£i, Xi) travel as well. Since Lemma [TOl item 
(iv) implies that all £% are the same, and Line 1141 implies x p X{ Xi-x ^ x q , 
we arrive at a contradiction to the assumption x q > x q . 

The following Lemma [T^] asserts that if a process decides, then it has suc- 
cessfully imposed its proposal value on all other processes. 

Lemma 12 (Identical proposal values). Suppose that process p decides in 
Line \21\ in round r and that no other process has executed Line \21\ before r. 
Then, for all q, it holds that x q = x r p . 

Proof. Using items (i) and (iv) in Lemma [TOl we can conclude that p was in the 
vertex-stable root component TZ of rounds £ — lockRound r p to £ + D and that 
all processes in 1Z have locked in round £. Therefore, in the interval [£, £ + D] , £ 
is the maximal value of lockRound. More specifically, all processes q in TZ have 
lockRoundq — £, whereas all processes s in iT \ TZ have lockRound s ^ £ during 
these rounds. Let m S TZ have the largest proposal value x l m = x max among all 
processes in TZ. Since m is in TZ, there is a causal chain of length at most D from 
m to any q E LI. Since no process executed Line [2TJ before round r, no process 
will send decide messages in [£,£ + D]. Thus, all processes continue to execute 
the update rule of Line I14( which implies that x max will propagate along the 
aforementioned causal path to q. 

Theorem 1. Let r$r be the first round where Assumption\J\holds. Algorithm^ 
in conjunction with Algorithm^ solves consensus by round r$r + 4D + 1. 

Proof. Validity holds by Lemma [9j Considering Lemma [121 we immediately get 
Agreement: Since the first process p that decides must do so via Line [2TJ there 
are no other proposal values left in the system. 

Observe that, so far, we have not used the liveness part of Assumption [TJ In 
fact, Algorithm [2] is always safe in the sense that Agreement and Validity are 
not violated, even if there is no vertex-stable root component. 



Wc now show the Termination property. By Corollary [21 we know that every 
process in p 6 TZ evaluates the predicate inStableRootQrsT, rsr + 1]) = true 
in round £ — tst + D + 1, thus locking in that round. Furthermore, Assumption[T] 
and Corollary[2]imply that at the latest in round d = £ + 2D every process p € TZ 
will evaluate the condition of Line [20] to true and thus decide using Line [2T1 
Thus, every such process p will send out a message m = (decide, x p ). By the 
definition of D and Assumption [TJ we know that the round d network causal 
diameter satisfies D d {II) ^ D, such that every q £ II will receive the decide 
message at the latest in round d + D = I + 3D = r$T + 41? + 1. 



Algorithm 2 Solving Consensus; code for process p 



1 : Simultaneously run Algorithm [T] 



Variables and Initialization: 

x p € N initially v p 

lockedp, decidedp £ {false, true} initially false 
lockRoundp £ Z initially 

Emit round r messages: 
if decidedp then 

send (decide, x p ) to all neighbors 
else 

send (lockRoundp, Xp) to all neighbors 



Round r computation: 

9: if not decidedp then 

10: if received (decide, x q ) from any neighbor q then 
11: Xp ^ Xq 

12 : decide on x p and set decidedp 4— true 

13: else // p only received (lock q ,x q ) messages (if any): 

14: (lockRoundp, Xp) <— max {(lock q , x q ) \ q G Hp U {p}} // lexical order in max 



15 
16 
17 
18 
19 
20 
21 
22 
23 



if inStableRoot([r — D — l,r — D]) then 
if (not lockedp) then 

lockedp <— true 

lockRoundp r 
else 

if inStableRoot ([lockRoundp, lockRoundp + D]) then 
decide on x p and set decidedp -s— true 
else // inStableRoot ([r — D — 1, r — D]) returned FALSE 
lockedp <!— false 



6.2 Improved Time Complexity 



We now discuss how to guarantee a smaller causal network diameter, by consider- 
ing additional properties on the topologies of the network. We will use expander 
graphs, which are a frequently used technique for designing robust and fault- 
tolerant networks (e.g. [5]). An (undirected) graph Q is an a-vertex expander if, 
for all sets ScVof size < \Q\/2, it holds that > a, where N(S) is the 

set of neighbors of S in Q. Such graphs exist and can be constructed explicitly 

(cf. Em). 

For a vertex set S and a round r, we consider the set AfL(S) of nodes outside 
of S that are reachable from S and the set of nodes ML (S) that can reach S in 
r. 

Assumption 2 (Expander Topologies). Suppose that Assumption^ holds 
and consider the corresponding I-vertex stable root component TZ 1 with interval 
I = [b, e]. For all r G I and some fixed constant a, the following conditions hold 
for for all sets S C V(G r ): 

(a) If \S\ < and S C TZ 1 , then '^g^ 1 ^ a and ^gplj j> a . 

(7>J // |5| s$ n/2 and K 1 C S, i/ien ^fl^ 1 ^ a. 
(cj // |5| s$ n/2 and ft J D 3 = 0, i/ien ^ff^ ^ a. 

Lemma 13. There are sequence of graphs where Assumptions^ and& are sat- 
isfied simultaneously and, for any such run, there is an interval I during which 
there exists an O (log n) -bounded I-vertex stable root component. 

Proof. We will first argue that directed graphs exist that simultaneously satisfy 
Assumptions Q] and El Consider r € I and the simple undirected graph U that is 
the union of an a-vertex expander on TZ 1 and an a-vertex expander on V(Q r ). 
Replacing every edge e G E(U) with 2 oppositely oriented directed edges guaran- 
tees Properties (a)-(c), however, Assumption[T]might not hold for J, since TZ 1 will 
no longer be a root component if |7\L 7 | < n. To remedy this, we drop all directed 
edges pointing to TZ 1 from the remaining graph, which leaves the graph weakly 
connected and Properties (a)-(c) intact. We stress that the actual topologies 
chosen by the adversary might be quite different from this construction, which 
merely serves us to show the existence of such graphs. 

We prove that Assumption [2] gives a network causal diameter in O(logn). 

For i > 1, let V % C TZ 1 be the set of processes q in TZ 1 such that (p ^ q), 
and V° = {p}. We first show that D^IZ 1 ) G O(logn). The result is trivial if 
\TZ ! \ G O(logra), thus assume that G J7(logn) and consider some process 
p G TZ 1 . For round b, Property (a) yields \V l \ ^ |'P |(1 + a). In fact, for all i 
where \TZ'\/2, we can apply Property (a) to get \P' l+1 \ > |-p|(l + a), 

hence > (1 + a)\ Let k be the smallest value such that \V k+1 \ > |7e J |/2. 
By the above, this is true for any k > ^f^Tjq^ff £ O(logn). Now consider 
any q at round b + 2k and define Q 1 ^ 1 C TZ 1 as the set of nodes that causally 
influence the set Q l in round b + i, for Q 2k = {q}. Again, by Property (a), we 



get \Q l ~ 1 \ > |Q 4 |(1 + a), so \Q l \ ^ (1 + a) 2k -' 1 for any i where Q 1 " 1 |^ 7 |/2 
and hence |Q fc | > \R I \/2. Since n Q fe ^ 0, it follows that every p e K 1 

influences every q G 1Z 1 within 2k G 0(log n) rounds. 

Finally, to see that D 1 S O(logn), we use Property (b): At any round r G 
[&, e — 2fc' + 1], we know that any process p G 1Z 1 has influenced at least n/2 
nodes by round r + k' where k' > log 1+Q (n/2) G O(logn). Property (c) allows 
us to reason along the same lines as for the sets above. That is, p will 

influence every q G II by round r + 2k' , which completes the proof. 

Corollary 3. Suppose that Assumptions [7] and [H hold. Then, running Algo- 
rithms^ and\^ solves consensus by r$T + O(logn) rounds. 

7 Impossibilities and Lower Bounds 

In this section, we will prove that our basic Assumption [1] in particular, the 
existence of a stable window (of a certain minimal size) and the knowledge 
of an upper bound D on the causal network diameter, are crucial for making 
consensus solvable. Moreover, we will show that it is not unduly strong, as many 
problems considered in distributed systems in general (and dynamic networks in 
particular) remain unsolvable. 

First, we relate our Assumption[T]to the classification of [7]. LemmalMlreveals 
that it is stronger than one of the two weakest classes, but also weaker than the 
next class. 

Lemma 14 (Properties of root components). Assume that there is at most 
one root component TV in every Q T , r > 0. Then, (i) there is at least one process 
p such that cd 1 {p, q) is finite for all q G 77. Conversely, for n > 2, the adversary 
can choose topologies where (ii) no process p is causally influenced by all other 
processes q, i.e., ftp \fq: cd 1 (q,p) < oo. 

Proof. Since we have infinitely many rounds in a run but only finitely many 
processes, there is at least one process p in lZ r for infinitely many r. Let n, r2, • • • 
be this sequence of rounds. Moreover, let Vo = {p}, and define for each i > 
the set Pi = Vi-\ U {q : 3q' G Vi-x ■ q' G A/£}. 

Using induction, we will show that \Vk\ min{n, k + 1} for k 0. Conse- 
quently, by the end of round r n _i at latest, p will have causally influenced all 
processes in 77. Induction base k — 0: \Vq\ ^ min{rt, 1} = 1 follows immediately 
from Vq = {p}. Induction step k — > k + 1, k ^ 0: First assume that already 
[Pk\ = n ^ min{n, k + 1}; since l^fc+i ^ \Vk\ = n ^ min{n, k + 1}, we are done. 
Otherwise, consider round ru+x and \Vk\ < n: Since p is in lZ rk+1 , there is a 
path from p to any process q, in particular, to any process q in 77 \ Vk ^ 0- Let 
(v — > w) be an edge on such a path, such that v G Vk and w G 77 \Vk- Clearly, 
the existence of this edge implies that v G AC° +1 and thus w G Vk+x- Since this 
implies IPfc+il ^ \Vk \ + l^fc + l + l = fc + 2 = min{n, k + 2} by the induction 
hypothesis, we are done. 



The converse statement (ii) follows directly from considering a static star, for 
example, i.e., a communication graph where there is one central process c, and 
for all r, Q r = (77, {c — > q\q E II \ {c}}). Clearly, c cannot be causally influenced 
by any other process, and q ■/-> q' for any q, q' ^ q 6 77 \ {c}. On the other hand, 
this topology satisfy Assumption [1] which includes the requirement of at most 
one root component per round. 

Next, we examine the solvability of several broadcast problems under As- 
sumption [1] Although there is a strong bond between some of these problems 
and consensus in traditional settings, they are not implementable under our 
assumptions — basically, because there is no guarantee of (eventual) bidirectional 
communication. 

We first consider reliable broadcast, which requires that when a correct pro- 
cess broadcasts to, every correct process eventually delivers to. Suppose that the 
adversary chooses the topologies Vr : Q r = ({p, q, s} , {p — > q, q — > s}), which 
matches Assumption [TJ Clearly, q is a correct process in our model. Since p 
never receives a message from q, p can trivially never deliver a message that q 
broadcasts. 

We now turn our attention to the various problems considered in |17j , which 
are all impossible to solve under Assumption Q] More specifically, we return to 
the static star considered in the proof of Lemma QjJ Clearly, the local history of 
any process is independent of the size n. Therefore, the problems of counting, 
fc-verification, and fc-committee election are all impossible. For the token dissem- 
ination problems, consider that there is a token that only p ^ c has. Since no 
other process ever receives a message from p, token dissemination is impossible. 

Theorem 2. Suppose that Assumption\7\is the only restriction on the adversary 
in our model. Then, neither reliable broadcast, atomic broadcast, nor causal- 
order broadcast can be implemented. Moreover, there is no algorithm that solves 
counting, fc-verification, fc-token dissemination, all-to-all token dissemination, 
and fc-committee election. 

7.1 Knowledge of a Bound on the Network Causal Diameter 

Theorem 3 (Knowledge of a Bound on the Network Causal Diameter). 

Consider a system where Assumption^ holds and suppose that processes do not 
know an upper bound D on the network causal diameter ( and hence do not know 
n). Then, there is no deterministic algorithm that solves consensus. 

Proof. Assume for the sake of a contradiction that there is such an algorithm 
A. Consider a run a(v) of A on a communication graph G that forms a (very 
large) static directed line rooted by process p and ending in process q. Process 
p has initial value v S {0, 1}, all other processes have initial value 0. Clearly, 
algorithm A must allow p to decide on v by the end of round k, where k is a 
constant (independent of D and n; clearly, we assume that n is large enough to 
guarantee n — 1 > k). Next, consider a run j3{v) of A that has the same initial 



states as a(v), and communication graphs (H r ) r> o that, during rounds [1, ft], are 
also the same as in a(v) (defining what happens after round k will be dcfcrcd). 
In any case, since a(v) and ft(v) are indistinguishable for p until its decision 
round k, it must also decide v in f3(v) at the end of round k. 

However, since n > n + 1, q has not been causally influenced by p by the 
end of round k. Hence, it has the same state S^ +1 both in (3(v) and in /3(1 — v). 
As a consequence, it cannot have decided by round k: If q decided v, it would 
violate agreement with p in — v). Now assume that run /?(.) is actually such 
that the stable window occurs later than round k, i.e., tst = k + 1, and that 
the adversary just swaps the direction of the line then: For all H k , k ^ k + 1, 
q is the root and p is the last process of the resulting topology. Observe that 
the resulting j3(v) still satisfies Assumption [T] since q itself forms the only root 
component. Now, q must eventually decide on some value v' in some later round 
k' , but since q has been in the same state at the end of round k in both f3(v) 
and /3(1 — v), it is also in the same state in round re' in both runs. Hence, its 
decision contradicts the decision of p in /3(1 — v'). 

It is straightforward to see that Theorem [3J also holds for any randomized 
(Las Vegas) algorithm, i.e., a randomized algorithm that achieves consensus in 
every run. For this, we consider a variant of the state transition function (cf. 
Section [3]) that, in every round, additionally takes as input the outcome of an 
unbiased coin flip for determining the successor state. We can adapt the above 
proof by replacing k with the earliest round where p decides with probability 
7r > 0; by Validity, p's possible decision must be v. Since a(v) and (3(v) are 
indistinguishable for p, the probability that it also decides (on v) in (3{v) is 
exactly tt. However, q cannot have a nonzero probability to decide on any value, 
as deciding on v' in — v') would violate agreement. 

Corollary 4. Assume that Assumption [7] holds and suppose that processes do 
not know an upper bound on the network causal diameter. Then, there is no 
randomized algorithm that solves consensus in every run. 

7.2 Impossibility of consensus with too short intervals 

Our goal in this section is to show that it is necessary to have root components 
that are vertex stable long enough to flood the network. That is, w.r.t. Assump- 
tion [TJ we need / to be in the order of D. To this end, we first introduce the 
following alternative Assumption [31 which requires a window of only D: 

Assumption 3. For any round r, there is exactly one root component 1Z T in 
Q r . Moreover, there exists a D and an interval of rounds I = [r$T , tst + D] , 
such that there is an I -vertex stable root component 1Z 1 , such that D 1 ^ D. 

In order to show that Assumption [3] is necessary, we further shorten the 
interval: Some process could possibly not be reached within D — 1 rounds, but 
would be reached if the interval was D rounds. Processes could hence withold 
information from each other, which causes consensus to be impossible |23j . To 



simplify the proofs, we consider a stronger variant, where there is exactly one 
such process q, that is not reached within D — 1 rounds, from any process in 
1Z 1 . Note that, since it is exactly one, we have that in executions where the 
interval is actually D rounds, it will be reached. Thus we consider the following 
assumption: 

Assumption 4. For any round r, there is exactly one root component 1Z T in 
Q r . Moreover, there exists a D and an interval of rounds I = [rsr, rsr + D — 1], 
such that there is an I -vertex stable root component 7Z 1 , and there exists a unique 
q G II such that Vp G 7Z 1 , Vr G / : cd r (p, q) D, while for all q' G II \ {q} we 
have Vp ell 1 , Mr El: cA r {p,q') £> - 1. 

Note that, those executions that fulfill Assumption [TJ and where D 1 = D 
also fulfill Assumption [4] But the latter also allows executions where the longest 
interval with a vertex stable interval is (much) shorter than AD. 

In the sequel we assume that the adversary has to fix the start of I and the 
set of processes in the root component 1Z T of every round r before the beginning 
of the execution, every round r before the beginning of the execution. Note 
that this does not strengthen the adversary, and hence does not weaken our 
impossibility result. 

Lemma 15. Assume some fixed I and 1Z 1 , such that Assumption [J] holds. If 
two univalent configurations C and C" at the beginning of round r differ only 
in the state of one process p, they cannot differ in valency. 

Proof. The proof proceeds by assuming the contrary, i.e., that C and C" have 
different valency. We will then apply the same sequence of round graphs to 
extend the execution prefixes that led to C and C" to get two different runs 
e' and e". It suffices to show that there is at least one process q that cannot 
distinguish e' from e": This implies that q will decide on the same value in both 
executions, which contradicts the assumed different valency of C and C". 

Our choice of the round graphs depends on the following two cases: (i) p 
is in 1Z r and r G I or (ii) otherwise. In the second case, we assume that the 
adversary choses 1Z S = {q} ^ {p} for all rounds s > r. We can thus consider 
a sequence of graphs Q 8 , for s ^ r, such that cd s (q,p) — D which obviously 
fulfills Assumption |U But for q (and all other processes except p) , e' and e" are 
indistinguishable . 

In case (i), by our Assumption 21 there is some q, such that the information 
that p sends in round r does not arrive at some specific q within / = [a, b]. Now 
assume that the adversary choses 1Z S = {q} for all s > b. Clearly, for process 
g, the sequence of states in the extension starting from C and C" is the same. 
Therefore, the two runs are indistinguishable to q also in this case. 

Lemma 16. Consider a round r configuration C , then between any two round 
r graphs Q' and Q" , there is a k such that we can find a sequence of graphs 
Q' i Gi, ■ • ■ Qi ■ ■ - Q" each with a single root component, where any two graphs fol- 
lowing each other in the sequence differ only in at most one edge. Moreover, if 
Q' and Q" have the same root component 1Z so do all Qi . 



Proof. First, we consider two cases with respect to the root components TZ' and 
TZ": (a) TZ' n TZ" = 0, (b) TZ' n 71" ^ 0. Moreover, for the second part of the 
proof, we also consider a special case of (b): (b') TZ' = TZ" . 

For case (b) (and thus also for (b'), we consider Q\ = Q' . For case (a), we 
construct Q\ from Q' as follows: Let p' G TV and p" G TZ" , then Q\ has the same 
edges as Q' plus a = p" — > p', thus TZi D TZ' U {p"} (recall that p" must be 
reachable from TZ' already in Q'). So, now we have that in both cases Q' and Q\ 
differ in at most one edge. Moreover, there is a nonempty intersection between 
TZi and TZ". 

In the first phase of our construction (which continues as long as E"\Ei ^ 0), 
we construct Gi+i from Qi, i 1, by choosing one edge e = (v — > w) from E"\Ei 
and let Gi+i have the same edges as Qi plus e. Clearly, ^ and C/j+i differ in at 
most one edge. Moreover, when adding an edge, we cannot add an additional 
root component, so as long as we add edges we will have that Qi+i has a single 
root component TZi + i D R' . 

When we reach a point in our construction where E"\Ei — 0, the first phase 
ends. As Qi now contains all the edges in Q", i.e., Ei D E" and we have TZi 3 R" . 
In the second phase of the construction, we remove edges. To this end, we choose 
one edge e = (v — >■ w) from Ei \ E" ', and construct Gi+i from Qi by removing e. 
Again we have to show that there is only one root component. Since we never 
remove an edge in E" , Qi always contains a directed path from some x G TZ" to 
both v and w that only uses edges in E" . As e ^ E", this also holds for Qi+\. 
Since there is only one root component in Q" , this implies that there is only one 
in Q'. 

Let Qj be the last graph constructed in the first phase, and Qk the last graph 
constructed in the second phase. It is easy to see that Ek = Ej \ (Ej \ E"), which 
implies that Ek = E" and hence Qk — E" . This completes the proof of the first 
part of the Lemma. 

To see that the second part also holds, we consider case (b') in more detail 
and show by induction that 7£j+i = TZi = TZ. For the base case we recall that 
Qi — G' and thus TZ\ — R' . For the induction step, we consider first that the 
step involves adding an edge e = (v — > w). Adding an edge can only modify the 
root component when v ^ TZi and w G TZi. Since such an edge e is not in E" 
(as it has the same root component as £"), we cannot select it for addition, so 
the root component does not change. If on the other hand the step from Qi to 
Qi+i involves removing the edge e = (v — > w), then we only need to consider 
the case where v G TZi. (If v TZi, then also w £ TZi so the root component 
cannot change by removing e.) But since we never remove edges from E" , this 
implies that even after removing e there is still a path from v to w, so the root 
component cannot have changed. 

Theorem 4. Assume that Assumption^ is the only requirement for the graph 
topologies. Then consensus is impossible. 

Proof. We follow roughly along the lines of the proof of [321 Lemma 3] and 
show per induction on the round number, that an algorithm A cannot reach a 
univalent configuration until round r. 



For the base case, we consider binary consensus only and argue similar to 
but make use of our stronger Validity property: Let C° be the initial configu- 
ration, where the processes with the x smallest ids start with 1 and all others 
with 0. Clearly, in Cq all processes start with and in all start with 1, so 
the two configurations are 0- and 1-valent, respectively. To see that for some x 
C° must be bivalent, consider that this is not the case, then there must be a C° 
that is 0-valent while C° +1 is 1-valent. But, these configurations differ only in 
Px+i, and so by Lemma [TS] they cannot be univalent with different valency. 

For the induction step we assume that there is a bivalent configuration C at 
the beginning of round r — 1, and show that there is at least one such config- 
uration at the beginning of round r. We proceed by contradiction and assume 
all configurations at the beginning of round r are univalent. Since C is bivalent 
and all configurations at the beginning of r are univalent, there must be two 
configurations C and C" at the beginning of round r which have different va- 
lency. Clearly, C and C" arc reached from C by two different round r — 1 graphs 
Q' = (II,E') and Q" = (II, E"). Lemma [T6l shows that there is a sequence of 
graphs that can be applied to both C and C" . Further, note that each pair of 
subsequent graphs in this sequence differ only in one link v — > w, so the result- 
ing configurations differ only in the state of uu. Moreover, if the root component 
in Q' and Q" is the same, all graphs in the sequence also have the same root 
component. Since the valency of C and C" was assumed to be different, there 
must be two configurations C and C in the sequence of configurations that 
have different valency and differ only in the state of one process, say p. Applying 
Lemma[15]to C and C again produces a contradiction, and so not all successors 
of C can be univalent. 

8 Conclusion 

We introduced a novel framework for modeling dynamic networks with directed 
communication links, and introduced a weak connectivity assumption that makes 
consensus solvable. Without such assumptions, consensus is trivially impossible 
in such systems as some processes can withhold their input values until a wrong 
decision has been made. We presented an algorithm that achieves consensus 
under this assumption, and showed several impossibility results and lower bounds 
that reveal that our algorithm is asymptotically optimal. 
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